Malware Analysis Report

2024-12-07 13:02

Sample ID 241113-rrcv6stcmb
Target beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe
SHA256 beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179
Tags
bootkit discovery persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179

Threat Level: Likely malicious

The file beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer upx

Blocklisted process makes network request

Deletes itself

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Writes to the Master Boot Record (MBR)

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:25

Reported

2024-11-13 14:27

Platform

win7-20240903-en

Max time kernel

112s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\gyaal.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\gyaal.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\gvufb\\hhiseyjbc.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\gyaal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe N/A
N/A N/A \??\c:\gyaal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\gyaal.exe
PID 1932 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\gyaal.exe
PID 1932 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\gyaal.exe
PID 1932 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\gyaal.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2556 wrote to memory of 1692 N/A \??\c:\gyaal.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe

"C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\gyaal.exe "C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\gyaal.exe

c:\gyaal.exe "C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\gvufb\hhiseyjbc.dll",init c:\gyaal.exe

Network

Country Destination Domain Proto
US 67.198.215.212:803 tcp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/2364-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2364-1-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2364-3-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\gyaal.exe

MD5 c0e89614c376438c8019234d8400de30
SHA1 37438fca4f44fe5a6dd15583787090628993b762
SHA256 b9270070595bd6b1917cac072887901933fd3fbed79506ac613921492739b59d
SHA512 f352eeb0874b898130c6748495281b90491d6bc6ae17dd9200491e720395c6b2d693f5425dc27dc78617094fb38372b0d738a035d4fee6d180e0464b8e8b8eac

memory/2556-6-0x00000000002E0000-0x00000000002E2000-memory.dmp

memory/2556-9-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\gvufb\hhiseyjbc.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/1692-17-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1692-16-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1692-14-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1692-18-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1692-23-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1692-24-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1692-25-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 14:25

Reported

2024-11-13 14:27

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\hbanywhun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\hbanywhun.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\pinvuq\\akgbq.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\hbanywhun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe N/A
N/A N/A \??\c:\hbanywhun.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe

"C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\hbanywhun.exe "C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\hbanywhun.exe

c:\hbanywhun.exe "C:\Users\Admin\AppData\Local\Temp\beca642671cd38cc9309f76ebb9f10ba80205290f285f5c2a80aa0ed09f22179.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\pinvuq\akgbq.dll",init c:\hbanywhun.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 67.198.215.212:803 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 67.198.215.213:3204 tcp

Files

memory/3296-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3296-1-0x00000000005C0000-0x00000000005C2000-memory.dmp

memory/3296-3-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\hbanywhun.exe

MD5 fb35256dc8ae9f25e83660c89d0e71e6
SHA1 ce4187241bd67a11b2d3c5cb500c929c73613a7b
SHA256 b8a604e04bffa0dd82b9c7aac8047b15a5a0dd46248bd12dceecc5ca383ec586
SHA512 62af8c0de94401efb83c9658ab4a95f712942b2a0e2d88d3b3a93bd2ca04242c02022b81eee64814c26b16a21fb19fae56e432c5b95339947d1cebf876c81867

memory/4832-7-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/4832-10-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\pinvuq\akgbq.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/3480-13-0x0000000010000000-0x0000000010024000-memory.dmp

memory/3480-14-0x0000000010000000-0x0000000010024000-memory.dmp

memory/3480-16-0x0000000010000000-0x0000000010024000-memory.dmp

memory/3480-18-0x0000000010000000-0x0000000010024000-memory.dmp